FR: Expose signInWithIdTokenResponse to allow signing in with idToken

[acmayberry]

Firebase SDK version: 4.6.0
Firebase Product: auth

I am using Firebase with Alexa account linking. I am able to link the accounts and have a Firebase access token / id token passed into the Lamba function context. I'd to be able to sign in to Firebase using the provided token.

The method signInWithIdTokenResponse in auth.js does exactly what I'd need to do, but it is not exposed via the external API.

Is there a reason this method cannot be externalized for use?

I am able to use the passed in token to use the REST API, but it would be very nice to use the token to initialize the JS SDK.

[bojeil-google]

This is not something we want to expose as it encourages bad practices. Long lived refresh tokens should never leave the client or be passed around.

[bojeil-google]

I prefer exposing this instead: #49 (comment)
In this case, the credentials don't leave the window. Something like: auth.signInWithApp(appWithCredential)
Other options include passing the ID token and confirming the auth_time is recent and using custom auth. Passing around the refresh token and facilitating sign in with it will only lead to trouble.

[bhernez]

I've read the comments in #49 and considering the method is already implemented, IMHO exposing signInWithIdTokenResponse would help in situations of server-rendering, like Ember.js Fastboot.

[bojeil-google]

I am sure this is quite convenient for many (usually ignoring best security practices is) but I have no plans to expose this for the security downsides I clearly explained earlier. In fact right now, there is no way to easily revoke refresh tokens which makes exposing this a terrible idea.